We’ve been using computer passwords for decades, yet it seems like no one can agree on how you should pick a password, what it should contain, and if a password is good enough. Let’s cut through it.
Phrases Are Inherently Unsafe Passwords
Passphrases, unlike typical passwords, are strings of words rather than random characters.
Because they’re composed of words rather than a random string of letters, numbers, and special characters, there is sometimes a misconception that they’re more vulnerable to being brute-forced, especially if hackers are using a dictionary attack. However, that isn’t really the case. As long as you pick your passphrase carefully, a 4-word passphrase could have hundreds of quadrillions of possible combinations and take millions or billions of years to crack.
What Is Encryption, and How Does It Work?
You’ve probably seen the term “encryption” used around the internet. It is essential to your security.
The big risk with passphrases is picking extremely common phrases. You should avoid phrases that occur in music, television shows, movies, books, or other media to be safe. Definitely don’t use your favorite quote by someone famous.
With only that small caveat, passphrases offer one huge benefit: they’re much easier to remember than equally-long passwords. For example, “birdDandeLionTanktoeGlasses” is much easier to remember than “6dCV^skr%H4b6r9Xn8TAP5z86$6.”
Changing Your Password Regularly Enhances Security
Many services require you to change your password regularly, but unless you’re reusing passwords (which you should never do) or there has been some kind of data leak where your password was exposed, it doesn’t really add any benefit.
Brute forcing a moderately-strong password could take billions of years, and that is assuming that hackers are free to make as many attempts as they want. However, all well-designed login systems have ways to prevent someone from attempting to guess 100,000,000 combinations. They should be locked out after only a handful of attempts.
The only time someone should even be able to attempt to crack your password like that is if they get a copy of the password database. Ideally, whoever designed the system took the appropriate precautions to ensure that the stored passwords would be difficult to crack.
Unfortunately, that isn’t always the case, and you should change your password if a database containing your password is ever stolen. If you don’t, you may be vulnerable to credential stuffing.
What Is Credential Stuffing? (and How to Protect Yourself)
“Credential stuffing” is the reason over 500 million Zoom accounts are for sale on the dark web. Here’s what that means—and how to protect yourself.
Special Characters Are the Only Way to Make Strong Passwords
Everywhere you go, when you try to select a password, you’re informed that each password must contain a mixture of upper and lowercase letters, plus numbers and special characters.
This already sets you up to believe that those qualities are what make a strong password, but the reality is more complicated than that.
There are two big factors that determine a password’s strength: length and complexity.
Complexity refers to how many different kinds of characters you use (letters, numbers, and symbols) and length is how many characters you use.
How to Create a Strong Password (and Remember It)
We recommend a password manager so you don’t have to remember 100+ strong passwords.
In general, the strongest passwords will the ones with the largest number of possible guesses.
That means your password either needs to use many different kinds of characters, be very long, or both.
Password Length Is the Only Thing That Matters
On the other hand, it is true that passwords (and passphrases) get better as they get longer, but there is more to strength than just length.
For example, you could create a password that is 10 characters long that would likely be broken nearly instantly: aaaaaaaaaa.
The real strength of added length only applies if a password is random, or at least close to random. Repeating characters, or common sequences of letters or numbers, like 12345 or abcdef, are fairly easily cracked.
Strong Passwords Are a Substitute for Two-Factor Authentication (2FA)
I hear this one a lot: “I don’t need two-factor authentication, a password is enough.”
That may be true for accounts that you don’t care about and that don’t matter, but never for anything important.
The unfortunate reality is that passwords are a fundamentally flawed system. People reuse passwords all the time and pick weak passwords that are easily brute-forced, even though they shouldn’t.
Passwords are also vulnerable to malware like keyloggers, which can literally steal your password as you type it. And that isn’t even to speak of phishing, where an unsuspecting victim is tricked into giving up their password unwittingly.
Don’t Take the Bait on These Phishing Scams
Scammers want you to take the bait, but you’re smarter than that!
2FA protects you from almost all of that as long as you take the right precautions and remember to never, under any circumstances, give your 2FA codes to anyone.
If you find keeping track of long and complex passwords or passphrases daunting, your best option is a password manager—it takes care of the hard part for you.
Of course, good passwords and 2FA are only one part of good digital hygiene. Where possible, keep secured backups of important files and information and don’t expose yourself to unnecessary risk.
